Open in app

Sign in

Write

Sign in

Setup VPN in Linux

Nuwan Tissera
5 min readJan 2, 2020

--

Photo by Alina Grubnyak on Unsplash

If you don't know what is a VPN? [1]It's simply providing security/safety to private or public networks. It can mask your IP, hide your IP, Location and Restrict access website etc.

Now we are going to set up a VPN on CentOS. There are commonly used VPN protocols like PPTP, L2TP/IPsec, Open VPN. We are going to use Open VPN in this.

Installing & Configure OpenVPN

We will also install Easy RSA [2], a public key infrastructure management tool that will help us set up an internal certification authority (CA) for use with our VPN.

sudo yum update -ysudo yum install epel-release -ysudo yum update -ysudo yum install -y openvpn wget# EasyRSA is a internal Certificate Authority for our VPN. wget -O /tmp/easyrsa https://github.com/OpenVPN/easy-rsa-old/archive/2.3.3.tar.gztar xfz /tmp/easyrsasudo mkdir /etc/openvpn/easy-rsasudo cp -rf easy-rsa-old-2.x.x/easy-rsa/2.0/* /etc/openvpn/easy-rsasudo chown root /etc/openvpn/easy-rsa/

Now Open VPN is installed successfully. Then we need to configure.

sudo vim  /etc/openvpn/server.conf

Uncomment the following lines (bold) by removing semicolon on start.

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).push "redirect-gateway def1 bypass-dhcp"# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
\
\
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.user nobody
group nobody# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
\
\
# Network topology
# Should be subnet (addressing via IP)
# unless Windows clients v2.0.9 and lower have to
# be supported (then net30, i.e. a /30 per client)
# Defaults to net30 (not recommended)topology subnet

i.e: This can result in network issues.

Comment the italic lines. Add the following (bold) lines to the same file.

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.remote-cert-eku "TLS Web Client Authentication"# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.;tls-auth ta.key 0 # This file is secret
tls-crypt myvpn.tlsauth# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage

Now the configuration is done. Let’s generate the static encryption key with the following command.

sudo openvpn --genkey --secret /etc/openvpn/myvpn.tlsauth

Generating Keys and Certificates

We will create a directory for Easy-RSA to store certificates and keys.

sudo mkdir /etc/openvpn/easy-rsa/keys

Now, We need to change the default configuration file in Easy-RSA and update with our information.

sudo vim /etc/openvpn/easy-rsa/vars
  • KEY_CN: Your actual Domain or subdomain
  • KEY_NAME: Strictly place server here.

Keep the above 2 fields meaningfully and remember that. use any values for others.

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="SL"
export KEY_PROVINCE="Western"
export KEY_CITY="Colombo"
export KEY_ORG="MyCompany"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_EMAIL=mail@host.domain
export KEY_CN=mycompany
export KEY_NAME=server
export KEY_OU=myteam

Now we have to source the file. Please edit the vars script to reflect your configuration, then source it with “source ./vars”. Next, to start with a fresh PKI configuration and to delete any previous certificates and keys, run “./clean-all”. Finally, you can run this tool (pkitool) to build keys/certs.

cd /etc/openvpn/easy-rsasource ./vars./build-ca ./build-key-server server./build-dh # This will take some timecd /etc/openvpn/easy-rsa/keyssudo cp dh2048.pem ca.crt server.crt server.key /etc/openvpncd /etc/openvpn/easy-rsa./build-key clientcp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf

Output

A challenge password []:mycompany123
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'SL'
stateOrProvinceName   :PRINTABLE:'Western'
localityName          :PRINTABLE:'Colombo'
organizationName      :PRINTABLE:'mycompany.com'
organizationalUnitName:PRINTABLE:'myteam'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'server'
emailAddress          :IA5STRING:'mail@host.domain'
Certificate is to be certified until Jul  8 05:42:12 2029 GMT (3650 days)

Routing

cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnfsudo firewall-cmd --get-active-zones
trusted
  interfaces: eth0sudo firewall-cmd --zone=trusted --add-service openvpn
successsudo firewall-cmd --zone=trusted --add-service openvpn --permanent
successsudo firewall-cmd --list-services --zone=trusted
openvpnsudo firewall-cmd --add-masquerade
successsudo firewall-cmd --permanent --add-masquerade
successsudo firewall-cmd --query-masquerade
yes

Next, forward routing to your OpenVPN subnet. You can do this by first creating a variable (SHARKin our example) which will represent the primary network interface used by your server, and then using that variable to permanently add the routing rule:

SHARK=$(ip route get 8.8.8.8 | awk 'NR==1 {print $(NF-2)}')sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o $SHARK -j MASQUERADE
successsudo firewall-cmd --reload
successsudo vim  /etc/sysctl.confsudo systemctl restart network.service

Starting OpenVPN

sudo systemctl -f enable openvpn@server.servicesystemctl status  openvpn@server.servicesystemctl start  openvpn@server.service

References

[1] VPN guide

[2] Easy RSA

Tech
Openvpn

--

--

Nuwan Tissera
Nuwan Tissera

Written by Nuwan Tissera

48 Followers
400 Following

Software Engineer WSO2 | Msc in CSE UoM | Blogger

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams